Due to the fast pace of innovation in payments technology (e.g. contactless), the use of Point-of-Sale (PoS) devices has grown significantly in recent years. According to the Smart Payment Association, 48% of new cards issued in 2015 (excluding the US) were contactless. In Europe, more than EUR 16.1 billion was spent on contactless Visa cards in the 12 months to June 2015 – a 335% increase on the previous year.

At the same time, the frequency and complexity of threats against PoS devices continues to grow, with skimming devices and POS malware among the biggest sources of stolen payment cards today. Some of the highest profile breaches in recent history include the US retailer Target losing 40 million payment card details from hacked card readers in 2013, and Home Depot losing 56 million a year later in 2014. But these are just the headlines. Smaller breaches against PoS devices happen every day, but rarely make the news.

PCI DSS Requirement 9.9 helps organizations protect their PoS devices

Any merchant accepting card payments via a PoS device or terminal must adhere to the latest PCI DSS regulations (currently PCI DSS 3.2, published in April 2016). Since PCI DSS 3.0, it has been a requirement for all PCI DSS merchants to take steps to protect their PoS devices. These guidelines – which were previously only best practice – are now mandatory in PCI DSS Requirement 9.9, which is dedicated to the physical security of cardholder data and how to protect it from criminals.

Requirement 9.9 states that all merchants must have controls in place to protect against direct physical tampering and substitution of their card-reading devices used in card-present transactions at the point of sale. This means any card swipe (or dip) at any POS device or terminal used in face-to-face transactions. It also includes any unattended payment terminals accepting transactions where the customer’s card is present, such as self-service kiosks.

It is worth emphasizing that Requirement 9.9 is no longer optional. It has been mandatory for maintaining PCI DSS compliance status since 1st July 2015. If you do not protect your POS devices you will lose your compliant status and be unable to take card payments.

How do you protect your PoS devices?

Fundamentally, keeping PoS devices protected is all about physical security. The PCI Council can be very helpful here. For example, it maintains a database of approved PIN Transaction Security (PTS) devices which are validated to PCI standards. However, using approved devices is not enough. These devices must be inspected as often as possible to prevent malicious individuals from manipulating them. PCI DSS sets out three main requirements:

1. Maintaining an inventory of terminals/devices

Maintaining the physical security of card-reading devices starts from the moment the device is unpacked to its eventual retirement. At a minimum, you must keep a record of the following details for every device; make, model, physical location (for example, the address of the site or facility where the device is located), serial number and any other method of unique identification.

You should have procedures in place to regularly validate this data and to log any changes as they happen, for example if a terminal is sent to another location or is disposed of.

2. Periodically inspect terminals/devices to look for tampering or substitution

The goal of this task is to detect tampering, skimming or substitution of card-reading devices and terminals. To be compliant you must first define and document the procedures for inspecting devices on a regular basis, and personnel must be trained in how to spot tampered or substituted devices.

Requirement 9.9 does not stipulate how often a device should be checked, since this depends on the risk profile of each device. The type of device, where it is located, whether it is unattended etc. will determine the risk profile of the device, and how often it should be inspected. The frequency of inspections is up to you – hourly, daily, weekly, monthly etc. – but you must determine your own inspection frequency and stick to it.

3. Train personnel

Finally, all personnel should be trained to effectively inspect payment card readers for evidence of tampering or substitution. Criminals for example might enter the premises posed as authorized maintenance personnel, or may simply send fake devices to the business which have been designed to steal card data. Regular security awareness training must be conducted with staff to maintain up-to-date knowledge. Evidence of this training, with employee sign-off, must be maintained.

Systems, systems, systems

In conclusion, the only way to maintain best practice is to introduce systems and procedures which force everyone to maintain the standards at all times. Any form of manual process – whether paper-based or using a spreadsheet – is simply not robust enough to be reliable.

It is also worth remembering that ticking the right boxes at the time of a PCI compliance audit is not enough to deliver security day-by-day. POS security threats can occur at any time, and if your new staff members have not received training on how to spot a tampered device, or your business does not know where all its devices are, you are at risk. The only way to stay secure is to practice it every day, with good practice reinforced by a rigorous system. Organizations must protect their PoS devices daily because being validated once a year does not guarantee protection for the other 364 days…

About Marco Borza

Marco Borza is chief executive officer of Advantio, a company offering a comprehensive range of services that help companies to enhance their cyber resilience whilst making them compliant with industry security standards. Previous roles include senior security consultant for Onformonics.

About Advantio

Advantio is the leading provider of cyber resilience services and PCI compliance technology. Advantio's certified professionals are trained to deliver a complete solution and assist Payment Service Providers, Financial Institutions and Banks through their cyber resilience journey from the first assessment to ongoing monitoring and maintenance of their security status.